trickbot | bd7729979ce89a15f5a8195fa33f17c5fc59d5636f3294ef8f397decd6f05c79

General

Target

SecuriteInfo.com.Heur.1516.25525.xls
Size

274KB
MD5

86bcd1dbc5f256c0cd0ef95d57821946
SHA1

6b7e3f13faafed23d1460ae25a2caef46a5ad8ae
SHA256

bd7729979ce89a15f5a8195fa33f17c5fc59d5636f3294ef8f397decd6f05c79
SHA512

660d524c08eee362d88920671f4adacb42278c7dcc749cd82b8d59cbfb8862fce3411e71a2388b73d150d91f7d9436a7d2e6fe0f39fd83eedc049804fbc60051

Score

10^/10

trickbot net10 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000029

Botnet

net10

C2

103.66.72.217:443

117.252.68.211:443

103.124.173.35:443

115.73.211.230:443

117.54.250.246:443

131.0.112.122:443

102.176.221.78:443

181.176.161.143:443

154.79.251.172:443

103.111.199.76:443

103.54.41.193:443

154.79.244.182:443

154.79.245.158:443

139.255.116.42:443

178.254.161.250:443

178.134.47.166:443

158.181.179.229:443

103.90.197.33:443

109.207.165.40:443

178.72.192.20:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3864	3560	rundll32.exe	EXCEL.EXE

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Templ.dll packer 1 IoCs

Detects Templ.dll packer which usually loads Trickbot.

Processes:

resource	yara_rule
behavioral2/memory/1520-183-0x0000000004460000-0x0000000004686000-memory.dmp	templ_dll

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1520 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3768 1520 WerFault.exe rundll32.exe

pid	process
1520	rundll32.exe

pid	pid_target	process	target process
3768	1520	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3560 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

WerFault.exe

pid	process
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe
3768	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exewermgr.exe

description	pid	process
Token: SeRestorePrivilege	3768	WerFault.exe
Token: SeBackupPrivilege	3768	WerFault.exe
Token: SeDebugPrivilege	3768	WerFault.exe
Token: SeDebugPrivilege	1676	wermgr.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

EXCEL.EXE

pid	process
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE
3560	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exe

description	pid	process	target process
PID 3560 wrote to memory of 3864	3560	EXCEL.EXE	rundll32.exe
PID 3560 wrote to memory of 3864	3560	EXCEL.EXE	rundll32.exe
PID 3864 wrote to memory of 1520	3864	rundll32.exe	rundll32.exe
PID 3864 wrote to memory of 1520	3864	rundll32.exe	rundll32.exe
PID 3864 wrote to memory of 1520	3864	rundll32.exe	rundll32.exe
PID 1520 wrote to memory of 1676	1520	rundll32.exe	wermgr.exe
PID 1520 wrote to memory of 1676	1520	rundll32.exe	wermgr.exe
PID 1520 wrote to memory of 1676	1520	rundll32.exe	wermgr.exe
PID 1520 wrote to memory of 1676	1520	rundll32.exe	wermgr.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.1516.25525.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\iofjgjfldnd.hde,StartW
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\iofjgjfldnd.hde,StartW
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 664
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\iofjgjfldnd.hde
MD5
37062b08a85b8fe69f95a2c4f33fae05

SHA1
a4199f5dd132fdbf4868e4e4fdfabf996d2dc319

SHA256
b4ec0c58110e3b4b7e6ba76b5d5fc2eff7578763328daaadf39df270510fa7b8

SHA512
48f07db9c62d586c381b7ff6120880db893c8133f0e8faa63982dd3cdbf8a78d9d2e5d4ff6a9afab859cebdb8dfbaf89fb5ff6f1baeb7f79a0971b1f5a522996

Download Submit
\Users\Admin\iofjgjfldnd.hde
MD5
37062b08a85b8fe69f95a2c4f33fae05

SHA1
a4199f5dd132fdbf4868e4e4fdfabf996d2dc319

SHA256
b4ec0c58110e3b4b7e6ba76b5d5fc2eff7578763328daaadf39df270510fa7b8

SHA512
48f07db9c62d586c381b7ff6120880db893c8133f0e8faa63982dd3cdbf8a78d9d2e5d4ff6a9afab859cebdb8dfbaf89fb5ff6f1baeb7f79a0971b1f5a522996

Download Submit
memory/1520-181-0x0000000000000000-mapping.dmp

Download
memory/1520-187-0x0000000010001000-0x0000000010003000-memory.dmp

Filesize
8KB

Download
memory/1520-185-0x0000000000C60000-0x0000000000CA3000-memory.dmp

Filesize
268KB

Download
memory/1520-186-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1520-183-0x0000000004460000-0x0000000004686000-memory.dmp

Filesize
2.1MB

Download
memory/1676-189-0x0000022E7BC60000-0x0000022E7BC61000-memory.dmp

Filesize
4KB

Download
memory/1676-188-0x0000022E7BC20000-0x0000022E7BC48000-memory.dmp

Filesize
160KB

Download
memory/1676-184-0x0000000000000000-mapping.dmp

Download
memory/3560-118-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmp

Filesize
64KB

Download
memory/3560-123-0x000002343CC50000-0x000002343EB45000-memory.dmp

Filesize
31.0MB

Download
memory/3560-121-0x00007FF8EE870000-0x00007FF8EF95E000-memory.dmp

Filesize
16.9MB

Download
memory/3560-122-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmp

Filesize
64KB

Download
memory/3560-114-0x00007FF611670000-0x00007FF614C26000-memory.dmp

Filesize
53.7MB

Download
memory/3560-117-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmp

Filesize
64KB

Download
memory/3560-116-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmp

Filesize
64KB

Download
memory/3560-115-0x00007FF8CDBE0000-0x00007FF8CDBF0000-memory.dmp

Filesize
64KB

Download
memory/3864-179-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads